Blogs Home
Wednesday, October 16, 2019 1:00 PM

Cybersecurity Awareness: The Cost of Violating HIPAA

Written by Tim Burris, HCISPP, Product Manager, Privacy and Security - iatricSystems

Cybersecurity Awareness Month Privacy Oct 2019

In support of Cybersecurity Awareness Month, we've shared tips so far for "Owning It" with remote access security, "Securing It" with multi-factor authentication, and today I want to talk about "Protecting It" and the potential costs of a HIPAA violation if you aren't able to protect it (with "it" being PHI).

But first, I'm excited to share that in ongoing support of all cybersecurity topics during Cybersecurity Awareness Month, we hosted a series of five short 10-minute webinars each day the last week in October called "Cybersecurity Coffee Chats." We covered topics including remote access security, multi-factor authentication, phishing, and patient privacy.

Click this link to access the entire Cybersecurity coffee chat series.

So now let's move to the very important topic of Protecting "It". It is the goal of every healthcare organization to safeguard patient data, and you go to great lengths and expense to do so, however, sometimes things happen and you could find yourself in a situation where a breach has occurred.

It's important for you to know and understand the potential costs of a breach violation, and more importantly, identify things that you can do to make sure that you never have to incur one of these charges.

I am going to share here some details about what a HIPAA violation could cost you, and some tips about how to provide ongoing training of your staff. 

Did you know that failure to comply with HIPAA requirements can not only result in disciplinary action for the offending individual, but also civil and criminal penalties? These penalties can apply to both individuals and to the covered entities with which they are associated.

Here is a breakdown of both civil and criminal penalties that can occur as a result of a breach violation.

Civil Penalties:

  • The office for Civil Rights (OCR) may impose a penalty for failure to comply with a requirement of the Privacy Rule
  • Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity or individual knew or should have known of the failure to comply, or whether the failure to comply was due to willful neglect.
  • Penalty amount: $100 to $50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.

Criminal Penalties:

  • A person who knowingly violates the Privacy Rule may face criminal penalties up to $50,000 and up to one year imprisonment
  • If the violation involves false pretenses, criminal penalties increase to $100,000 and up to 5 years imprisonment.
  • If the violation involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm, criminal penalties increase up to $250,000 and up to 10 years imprisonment

In this era of regulation and increasingly strict sanctions, it is more important than ever that we truly own our own data. Ownership of data implies a responsibility to keep it safe.

I recently presented a webinar that shared information about how to implement patient privacy awareness training with your staff. Some of the highlights included: 

  • Create a training program that gets the message in front of your staff multiple times, in multiple ways
  • Start training on day one about how to protect patient privacy
  • Create awareness at the department level
  • Create awareness at the organizational level
  • Learn from mistakes and adapt the training accordingly

You can watch the recording of "The Cost of Violating HIPAA" webinar below.

{% video_player "embed_player" overrideable=False, type='scriptV4', hide_playlist=True, viral_sharing=False, embed_button=False, width='1920', height='1080', player_id='19658278884', style='' %}

Click this link to access the entire Cybersecurity coffee chat series.